Many Internal Audit directors and managers new to their positions sometimes find it difficult to focus on the basics that keep their departments working smoothly. Especially, when dealing with the challenges of a difficult economy and pressures from Audit Committees adjusting to new regulatory issues. To make matters worse, audit managers often juggle multiple projects at various locations with limited staffs and little direction or mentoring from “audit subject matter experts” who when needed are difficult to find. Obtaining timely assistance in these situations can be a challenge.

Subscribing to the hundreds of blogs, Twitter, Facebook, Linkedin and professional networking groups on the web helps, but after a time the inevitable “information overload” occurs and obtaining 120 opinions in 2 hours, each from unknown individuals of varying expertise, and based on assumptions ranging from accurate to insane, can actually hinder decision making. This is why I recently recommended to a new IT Audit Director experiencing this challenge, that he purchase “Managing the Audit Function” 3rd. Edition, written by Michael P. Cangemi and Tommie Singleton. This book’s 369 pages are an audit manager’s best friend, direct to the point and authoritative. The authors, both highly respected and experienced in the audit field, focus on the key elements needed to successfully manage an internal audit department and includes a wide range of forms, policies, guidelines, as well as reporting best practices and organizational / administrative procedures. In my opinion this is the type of book every internal audit library should have, benefiting both financial and IT audit managers.

Let me review the book in greater detail so you understand why I place so much value in it.

The book is divided into four parts with nine chapters, each thoroughly presented with real life examples focusing on the what, why and when. The first part provides an excellent background on the Fundamentals of the Internal Audit Function (for those who have not had the pleasure of reading Brink’s Modern Internal Auditing), covering auditing standards and the responsibilities of a corporate auditor. The chapters on Internal Controls is precise and covers Risk Assessment and Control Strategies, both of great importance given the current regulatory environment. This first part of the book also introduces the reader to the “Corporate Audit Department Procedures Manual” which is the tool used by the authors to bring into context each of the many forms and templates presented. At minimum, this book teaches the new audit director or manager how to prepare a high quality Audit Department Procedures Manual!

The second part of the book focuses on the management and administrative aspects of running a corporate audit department. Taking nothing for granted, the first chapter in this section starts with how an audit department should be organized, where it should be in the corporate structure, its charter, policies and personnel. A good amount of focus is given to the responsibilities, duties and roles of internal audit managers and the CAE, as well as their relationships with external auditors and regulators. An excellent section devoted to audit planning, scoping and implementing is also included (which is later expanded in part three), giving the new manager a quick snapshot of these subjects if they have not obtained it elsewhere. For me, the best chapter in this part of the book is the chapter on Personnel, Administration, and Recruiting, dealing with performance evaluations and overall staff development.

The third part of the book focuses on Technical Procedures. This part makes generous use of sample forms and templates, giving the reader a head start on the creation of these, when needed. The three chapters composing this part of the book are in my opinion, the best coverage of Audit Planning, Audit Performance and Audit Reporting I’ve seen in a book anywhere. A manager who understands these three chapters is qualified to lead any audit department without worry. The coverage on Materiality, Workpapers and Reports to Management and Audit Committees is magnificent. The authors cover the relevant GAAP, SEC and AICPA procedures, pronouncements and guidance related to these important issues with clarity and directness, making the material digestible and easy to follow (the book was written in 2003, so readers need to read up on all relevant updates to be current).

The last part of the book deals with the Long-Term Effectiveness of a corporate audit department, an area many new directors and managers do not focus on very well, because they tend to focus on the “here and now,” but impacts how others see them and measure their success. Here, the authors cover Corporate Governance issues, Quality Assurance, Continuous Improvement systems and Marketing the Audit Function. These discussions increase the awareness of the “marketing” process to new audit managers who need to sell themselves, as much as what they do, in order to succeed in the organization.

I will conclude this very positive review by saying that having this book is like having a well rounded and dependable subject matter expert in audit management at you disposal each and every time you need a quick answer. If you are a new audit director or audit manager, the book will save you countless hours of research time and frustrations.

The subject of “mental stability” is a mine field that has kept Psychologists and Psychiatrists busy since Sigmund Freud first proposed to make the study of human behavior into a hard science. Today, the meaning of mental stability is still not well defined in the social sciences, so it is extremely difficult for those of us outside of those fields to discuss it, define it or pass judgment on it. However, like pornography, a lack of mental stability in people, specially in the workplace, is something most of us recognize when we see it. As auditors, many of us have had to deal with mentally unstable people at different times and at different levels of the corporate world, including those at executive levels tasked with making significant decisions for their organizations. The effects of mental illness often cause serious negative impacts on the departments and the people the sick individuals interact with. But, because mental illness is still a taboo subject in corporate America, these people remain in their high level posts “undiscovered” for years. As auditors we often hear about managers who constantly change their minds or have difficulties making up their minds for the simplest of things, or directors who have sleeping disorders and call their staff’s at 3:00 AM to criticize their peers or to brainstorm strategies without end. Or, the abusive vice-president who obtains pleasure from humiliating her staff in public, insults minorities with “indirect” comments and makes disgusting facial contortions when talking to junior employees. And, one I personally remember… the supervisor who reprimands his team for following the very procedures and policies he instituted a few months earlier. When the person with these types of instabilities is your boss, you have a problem.

I’ve written this article as a result of a discussion I recently held with a Psychologist who specializes in Organizational Psychology, and she pointed out to my amazement, that in corporate America it is better to be an alcoholic or drug addict than to have a mental disorder. In 2010, most personnel departments address employee and executive level addictions with a variety of solutions such as 12 step programs, psychotherapy, etc., but mental illness, because of the difficulty in “proving it” carries legal issues that scares the average personnel manager, and so it is awkwardly “ignored.” This process of ignoring the destructive behaviors of mentally unstable managers or executives often includes an “unofficial” gag around direct discussions on the behaviors of the individual, instead “politically correct” comments like, “you have to be extremely patient to work with Mike,” or “Helen is a little eccentric,” or “Herbert is impulsive and a little abrasive” are heard. At the end of the day folks like Mike, Helen and Herbert terrorize their staffs, ignore business controls, make a mockery of policies and procedures and create an atmosphere of tension that often damages a respectful and cooperative work environment. Worse than that, these individuals almost always chase away good talent and bring about unnecessary risk exposures to the entire company. All of these things have indirect impacts on the work of auditors. I am going to use the “How many controls are enough” example below, to bring the point home.

One of the most common questions asked of auditors is “how many controls do we really need?” The question is often a legitimate one, but it can also hide a myriad of other issues that have little to do with risk management, compliance and audit. Variations of the too many or too few question sometimes come from low level staffers looking to “reduce unnecessary work,” but at other times you hear it from business managers, before Risk Assessment work begins, explaining that “given the fact that we know what our weaknesses are, and we have good controls already, why should we bother evaluating controls and looking for new ones?” At other times you hear the classic given by over zealous project managers, “we only have 10 minutes to discuss each control, so lets get this over with quickly.” Then there is the direct comment: “This is all a waste of time and I don’t give a %$#@ about you, controls or the audit department.” Most of these excuses or arguments are not presented by mentally unstable people, but some are. When used by mentally unstable people, watch out because all hell breaks lose, and you find yourself in a swamp full of snakes.

Dealing with these challenges is an art most auditors need to perfect. How indeed should these questions be answered, especially to people who do not understand the basics of controls, compliance and risks we auditors carry in our heads. How can all these complex legalistic requirements be translated for people who do not care to understand them, or have no intellectual ability or lack the attention span to “get it” within the short periods of time allotted to the process? These are our normal challenges with “normal” people. The challenges when dealing with mentally unstable managers may be insurmountable. Clearly conveying the message in a professional manner doesn’t cut it. Preparing nice PowerPoint presentations doesn’t cut it. Speaking in a low tone when they are screaming and insulting you doesn’t cut it. What my Psychologist friend pointed out is that these folks are sick, and not misbehaving or involved in temporary tantrums. As untreated sick people, they often can not control what they are doing. If you do not accept this fact, you will hit your head against the wall trying to interact with them in ways that work for normal folks, but do not for the mentally unstable. You must also understand that these events are not your fault since most mental disorders start early in a person’s life, way before you had the unfortunate luck of stepping in the person’s path.

My Psychologist friend jokingly suggested that auditors receive training on how to interact with people suffering with Attention Deficit Disorders, bipolar disorders and in group dynamics in the corporate environment. A company’s culture is a very complex organism. Even the smallest places have complicated political and social layers (silos) that have nothing to do with the official roles and functions performed by individuals and shown in organizational charts. Decisions in organizations, anyone who is observant will confirm, are not always made based on logic, business reasoning, policies, controls, and/or the need to comply with external regulations. They are often made based on fear, anger, sexual attraction, insecurity, jealousy, greed, hate, prejudices and confusion. Because of these things, it is easy for mentally unstable people to “hide” in the open. In many organizations these behaviors are sheltered because those at the top benefit from that sort of culture. For example, a manager who regularly works 8:00 AM to 9:00 PM (without asking for extra compensation), keeps to himself, does not take well to change, drives his staff like cattle, but surpasses his quotas, may be highly “appreciated” by his superiors. In these types of organizations calls to perform, comply with and produce results based on COSO, CobiT, As-5, PCAOB, SOX, ITIL, etc… are ignored, stone walled, analyzed to death or “adjusted” to the point of non-recognition. So, answering the “why do we need these controls?” question can be tricky if you happen to be in the wrong organization or before an unstable manager. Reaching an “understanding” on the need for a dozen or less controls can drag-on for twelve to eighteen months, or more, easily. Usually, the conclusion of these torturous wasteful exercises is reached via discussions or negotiations that have little to do with the compliance, legal or operational issues originally brought to the table.

Most accountants, auditors, lawyers and IT folks I know have no training on dealings with folks with mental health problems in the workplace. I do not know of anyone who can say they would know how to deal with either mentally unstable managers (those whom they report to) or mental instability in those they audit. Our capitalist system proposes that business people function in a balanced manner because the marketplace acts as an invisible counter-weight to bad or irrational decisions and bad behaviors. By some miracle the “marketplace” is self policing, self healing and a good arbitrator of even mental health. The marketplace is supposed to distribute higher profits to those who play by this rule. This neat picture of social and economic behaviors however is flawed. It assumes that all human beings are primarily motivated and controlled by money. Because of this simplistic view, even the smallest of our corporate organizations can be inhabited by well dressed and impressive looking people with serious mental illnesses. Given the epidemic levels of untreated Attention Deficit Disorders, Personality disorders and bipolar disorders in our society, why is it taboo to conclude that these are also at epidemic levels in corporate America? During the hiring process, when most mental disorders can be identified, most organizations do not ask if the candidate has had a history of mental illness, and current law does not obligate the candidate to disclose the information.

So, what do you do when you determine, based on the “pornography” (when you see it you know it) test, that your boss is mentally unstable? The answer given by my Psychologist friend is simple and direct. The answer is to look for another job as soon as possible, especially if you determine that the organization turns a blind eye to the problem. Many mental disorders are not curable, even though, they are treatable if the person obtains long term consistent help, medications and therapy. Given the manner in which our society works, and our corporations are structured, working under a mentally unstable person is a no win situation. Any organization that maintains a person of authority ignoring his/her signs of mental illness is not a healthy organization and may have other serious problems hidden just under the surface. The responsibility of an auditor is to deal with reality in a transparent manner, trying to report risks that may impact stockholder value, assisting management with control’s and solutions for better performance and detecting potential fraudulent acts. When those who manage the audit function, compliance or risk management are mentally unstable, the integrity and reliability of those functions can be in question.

What do you do when you determine, based on the “pornography” (when you see it you know it) test, that someone you are auditing is mentally unstable? The answer depends on whether the mental instability is known in the organization or not. If it’s known, but there is an “unofficial” gag situation, where the personnel department and other managers ignore it, you have a challenge at hand. As an auditor, you have discovered a risk to the organization, you probably also have evidence that the person may be ignoring policies and procedures, is abusive to staff and may have even tampered with audit samples. However, he has held the job for 15 years and each year he gets his bonus and good reviews. His boss of 15 years, a man related to the CFO and a major share holder said the guy is “colorful” but “OK.” To help you make the decision, here are a few queries you should answer:

What is the likelihood that you are the only auditor during the last 15 years to find these irregularities?

Why would the inner circle consider this unstable person “OK” and take the risks associated with his illness?

What do other auditors know about the situation, and what do they say?

What is the company “culture” like, regarding others who ignore and break company policies and procedures?

Is HR aware and concerned about the problems with the manager and his staff.

Are there previous audit reports citing the manager, his department or any compliance issues linked to him?

Are there others in the company with similar conditions?

Has your superior expressed concern over how you may report the findings, without giving you adequate reasons for the concerns?

Are the issues, risks and failures discovered by the auditor been in effect for a long time, in a way that knowledge of them have been an “open secret” requiring that multiple individuals “play along” in order not to make waves?

Has there been an insinuation, a gossip or small talk to the effect that the auditors should not pursue issues with the individual in question because of his “connections” in the company?

These ten questions should give you a sense of where things are regarding the mentally unstable individual, his social connections in the company, the corporate, legal and business culture that nourished him for 15 years, and how you may best proceed. If the answers to these questions lead you to believe that the organization has been aware of the problem, you may be better off working elsewhere. If multi-billion dollar organizations are reluctant to address these issues and resolve them, you need to carefully think about how you can maintain your professionalism and ethics as an auditor, and that may only be achieved by going elsewhere. When the organization is ready to address the issues at hand, or when it is forced to by the legal system, you can read about it in the newspapers. But, an inquisitive person may ask, “in this situation, don’t you have an obligation to report this information to your superiors?” The answer is “Yes.” But, if they already know about it and want you to keep your mouth shut, what can you do? If you stay in the job, you are in essence taking part in a conspiracy and cover-up little different than those that occur during a financial fraud, and if it blows up, you will have as the auditor, to answer some hard questions as to what you knew and when you knew it. Most interestingly, will be how you answer the “why did you not report it” question.

If your queries on the other hand lead you to conclude that you have a new finding, and the mentally unstable person’s condition is unknown to others in audit, HR and/or legal, you should, in consultation with the Chief Audit Officer or audit Director, find a strategy to address the issue and report it according to said strategy. If the company has a policy for addressing mental health issues, you should consult it and incorporate its guidelines in your approach and documentation. This process will likely not be smooth and easy. Imagine if your findings lead to a psychiatric determination that the CFO has bipolar disorder. Can this finding become a “material weakness” from a SOX perspective? It can be argued that the symptoms of bi-polar disorder in the CFO can negatively impact financial reporting! How would you write this up in the 10k and what would constitute an acceptable “remediation?” Can the board call for the removal of the CFO because of this? When do the lawyers step in?

To be fair to all. Not all organizations deal with mental illness problems in a bad manner. Many organizations have invested money, time and have trained their HR and legal departments in ways to address this serious challenge. But, to do so everyone has to admit to the problem and an entire new set of corporate policies and guidelines need to be adopted on how to fairly address mental illness in the workplace. As auditors, you will likely see more and more of these situations as the problem in the general population gains media attention and more people are diagnosed with these disorders. It is also important to note that those who suffer from mental disorders, although sometimes disruptive, conflict prone or unpredictable in the work environment, should not be stigmatized or abused because of their illnesses. The mentally unstable deserve professional treatment for their sake and for the sake of those around them. Without it, they pose risks that will not go away by simply ignoring them.

As always, I will welcome reader comments on the subject, especially if they are based on real life work experiences. Thanks for reading!

Thank you for contacting me to express your opinion on banking reform. Your opinion is very important to me, and I appreciate the opportunity to respond to you on this crucial issue.

I appreciate you taking the time to provide your ideas on how we can make changes to the banking industry to improve its efficiency and transparency. Every day New Jerseyans are working very hard to provide for their families, but current market conditions have made it difficult for families to save or access credit. The financial collapse last year demonstrated the need for increased transparency to protect investors and consumers from fraud and irresponsibility. Americans simply cannot afford the risks associated with widespread economic instability such as losses of jobs, savings, and benefits. I am committed to ensuring that our financial markets are fully regulated and operate in the best interest of the American people.

As a member of the Senate Banking Committee, I have long stood for financial reforms that promote smart, healthy, and sustainable development. I rely on the important communications I receive from my constituents to guide my work in the United States Senate. On this, as with any issue, there are many different view points, but please rest assured that I will continue to work diligently to respond to the many valuable insights I receive from New Jerseyans like you.

Finding solutions to the issues you raise is what drives me to keep standing up for New Jersey families. Again, thank you for sharing your thoughts with me. Please do not hesitate to contact me if I may be of more assistance.

To all the readers who left comments regarding the “Dumb Auditor” article. Thank you for visiting the blog and taking time to share your excellent ideas with the group. The “Dumb Auditor” article has been read by thousands of interested people from around the world, indicating that the issues discussed are of serious importance to our profession. Most of your comments clearly show “battle scars” resulting from real life work situations, making them more valuable than I ever expected.

It is also clear from your comments that auditors would like some resolution to these problems. Or, at least some structural changes in the industry that lead to diminishing auditor exposures, while they do their jobs protecting shareholder interests. Although, many in the business world share similar situations, risks and moral dilemmas, it is the auditor who is expected to uncover fraud and other illegalities with few or no legal and financial protections for themselves. And, few are similarly bound to maintain confidentiality about their work and the very things that often get them fired. It is not unusual to hear Internal Auditors tell of stories where they “uncovered to much” and got fired for it, but can’t talk about it! What does this tell us from a legal, societal and ethical perspective, and where does it put the professional organizations that are supposed to provide guidance and protections for the profession?

From the more than 30 comments left in the blog by readers to date, I am particularly impressed and grateful for the following:

1) From Felix, on November 30th.

Excellent proposals with excellent potential. Felix discusses four items that should be considered at the highest levels. Item # 4 on his list is something I had thought about in the past (and, I suspect other auditors have as well), dealing with Professional Liability Insurance “provided by the PCAOB (or other body holding CFO’s/auditors to ethical/moral standards) for auditors and CFO’s. If a CFO or auditor is fired due to claimed unethical reasons, they are eligible to receive 100% of what they were making.”

There are countless types of liability insurance for professionals, such as errors and omissions for attorneys and accountants and medical malpractice. Why not develop one that insures against wrongful dismissal of auditors, specially when the dismissal involves a dispute with management due to the normal performance of the auditor’s duties, ethical or fraud related matters?

2) From Mark Pennington, on November 30th.

I was impressed with the brevity, the directness and the underlying picturesque quality of Mark’s comments.

Disregarding his tone…. I think he is correct in that there is a very large segment in management that does not care. Why should they? They do not perceive to be negatively affected, and their personal bank accounts keep increasing instead of decreasing with the status-quo.

3) From Rodney Kocot, on December 2nd.

I think Rodney’s comment is the most eloquent posted in terms of describing a situation where auditors get fired for trying to do the right thing. I think that everyone who has been an auditor for several years recognizes this type of story, either from first hand experience or because it has happened to a peer. Unfortunately, because of confidentiality agreements and fears of being black listed, these stories rarely get out to the public or beyond auditor circles.

I appreciate the visit from Adis, a person that has done a great deal of work in the corporate governance and ethics areas, as well as in government.

The need for “Ethics Training” is clear and I am glad someone with a strong background in this area brought it up. However, my sense is that ethics training yields future results and it’s something that impacts entrants to the business world, with limited impact on the “old dogs” running lose right now in positions of authority. Training someone like a Bernie Madoff in “Values” and “Ethics” would be an interesting effort probably yielding few good results. We auditors are in the trenches dealing with societal and organizational challenges as they are now, not as they should be. Most auditors I know view compliance training as something that goes hand in hand with ethics.

I agree with Adis that we should concentrate more on a “Values-Based” ethical culture, because I believe that as a society we dropped the ball on this one a long time ago. I will refer to a few comments posted by Felix on November 30th which reflect my views on this issue:

“What is for sure is also that some crooks would not be crooks if society would not accept as “good” many things that are NOT good. The unfortunate relativism that we live in now a days is contrary to how the United States was founded. It was founded on deep moral principles and as a result there was a key ingredient that was not there in many other countries or societies throughout history: trust. Trust can only exist when the society is a morally correct society that has not transformed values. In other words when a bad act is considered OK by many and vice versa. The problem we are facing in the United States of today runs deeper than audits and rules.

The problem goes to the core of the humanity of our country.”

5) From Ben, on December 8th.

Ben’s comments are well thought out and clearly come from experience. His suggestion that auditors take a more careful and inquisitive approach during their job interviews in order to improve their chances of accepting jobs in organizations that more closely reflect their ethical values, is excellent.

I also agree with Ben regarding the approach with mid-level management and the need to invest time educating folks in Risk Management. His humorous call for prayers, relaxation and meditation techniques during audits of sales functions is also unique and worth considering!

Prior to the popularity of “Social Media,” blogs, Twitter and the web, most controversial issues impacting an industry or profession remained in a semi-secret state. Today, they can be known to thousands of people instantly. The power of knowledge or as they used to call it, “The Pen” is stronger than the “Sword,” and in most cases it is also stronger than the “Dollar.” Because of this, I believe that the “Dumb” auditor article will make a positive contribution to the efforts being made to resolve the issues cited in the article. At minimum, there will be more awareness of the problems from the perspective of the auditor.

Two days ago I attended a nice Thanksgiving party given by a CIO friend, who like in previous years, had invited several CFO‘s, corporate attorney’s and high level management people from high profile Fortune 500 companies in the New York region to his house. After a few drinks and delicious turkey, conversations about the state of the economy, technology and the headaches of regulatory compliance ensued. There where two auditors in the group and it felt as if we where the only ones who did not feel regulatory compliance is a headache. My Merlot and turkey friends, perceiving that they had numerical superiority over us, went on to a typical “we hate the auditors” discussion, where we had the “pleasure” of hearing every criticism launched against auditors since the time of Heraclitus. Thank goodness I too had access to the Merlot. One of the discussions that has stayed in my mind is one about how “well appreciated” dumb auditors are. And, this I’ve decided to share with you.

Most auditors learn early in their careers that auditing is not a popularity contest. As a result they adjust to the fact that they are paid to investigate, search, test, snoop around, and in many cases confirm the existence of wrong doing and mistakes by members of the organization at all levels. The auditor is usually the person who has ulterior motives for asking questions, and the one who usually does not bring good news. The auditor by his/her simple presence disrupts the “normal order” of things, makes the staff feel uncomfortable and require that all evidence be double checked for accuracy and legitimacy. Often, when those being audited most want the auditors to “go away,” some action or words deep in the crevices of the organization send a message to the auditors to dig deeper or further expand their questions. In common language, auditors are a pain in the neck.

The intensity of hatred or dislike towards the auditor however varies depending on his/her ability to understand what he/she is testing or investigating. The smart, experienced auditor tends to ask deep, relevant and timely questions, often not found in a strict audit script or checklist, which can open the doors to problems and issues hidden just below the surface. The smart auditor is happy when he/she finds problems, because he/she sees himself as a solution or insurance policy against risk exposures to the company. However, this feeling is not shared by those who “own” the problems and depending on company politics, the reactions can range from lukewarm admission, challenges bordering threats from some levels of management, to a long term stealth campaign against the auditor leading to his/her dismissal for supposedly “unrelated reasons.” Like a Whistle-blower, the good auditor walks a dangerous road. During difficult times, the good auditor has few or no allies.

The dumb auditor on the other hand, usually sticks to a rigid script or checklist, and is not likely to expand his questions beyond the “scope” of the audit, preassigned or created with the approval of management. The audit process of the dumb auditor tends to be quick, rarely discovering problems and always neatly on time. His reports usually sound like this: “We tested A, B, and C and found no exceptions. Managements’ controls are working according to established policies and guidelines and” (here is the mandatory recommendation for improvement – so it looks like some work was done), “we believe the Segregation of Duties process in AP can be tightened by implementing the following….. Otherwise all is well.” This cookie cutter report, used by both Internal and External auditors, is the type that makes its way to most audit committees today. This is also the type of report, according to my friends at the Thanksgiving party, that management wants and pays handsomely for. I found myself looking at the other auditor and realized that we where both nodding in agreement. My friends in the party, all experienced dealing with auditors, pointed out that “Smart” auditors, or auditors with independent minds can not last long in a typical organization, because the very act of following their ethical, inquisitive and legalistic mentalities gets them into serious conflicts with management and they end up fired after short tenures. Also, good auditors have few champions in the organization who see value or gain in “protecting” someone who is serious in his/her responsibility to investigate or test anyone (including them) in the future if they have to. This is simple human nature. A “Dumb” auditor on the other hand, creates few waves, does not offend or criticize too much, uses neutral and complimentary language in reports, and keeps to his/her “scripts” as planned by management. By playing dumb, this type of auditor is indirectly “winning friends and influencing people.” His/her back is covered because he/she is needed by those who need coverage. The dumb auditor has allies.

In light of current scandals, like the Bernie Madoff case, and the mortgage meltdown, it has become common for many to ask: “And, where were the auditors while all this was happening?” My answer has to be that most of the auditors involved where diligently doing their jobs as good “dumb” auditors do, so they can stay employed. That is, they where auditing every nick and cranny that was within scope and within the “Risk Appetites’ of their organizations, as set by “management.” But, what about the codes of conduct, the audit charters, the PCAOB, the SEC, the GAAS‘s, ISACA and the IIA‘s. Don’t these organizations have some level of control over how auditors should conduct themselves and how they should investigate and follow up on questionable activities? Are all of these structures useless? My answer is no. These are not useless organizations, and without them, the problems cited by my friends in the Thanksgiving party would be much worse. The codes of ethics, guidance documents, audit frameworks and standards created by these organizations are the only line of defense we auditors and audit committees have against the many Barbarians who dwell in the halls of corporate America today. But, are these standards and frameworks sufficient? My feeling is that they are not, and here is why. Money corrupts as every auditor knows. When you follow the money you find the power. Organizationally, there is an imbalance between the auditor and those he/she audits. On the one hand you have a well meaning, ethical person who wants to do the right thing, making an average mid-level management salary, tasked with uncovering wrong doing among those at levels that can crush him/her with ease, and whose interests are the maintenance of the status-quo, a low profile and making sure the company’s stock value is not disrupted by doubtful auditor reports. In most companies, those in the Director, V.P. and “C” levels (usually persons with net worth’s in the millions of dollars and stock holders in the company) can easily muster the resources of the organization whenever they raise a red flag regarding a “trouble maker.” The controlling factor here is not bribery, but the threat of dismissal. So, in my opinion things boil down to a primal level for the auditor. Ethics, integrity, morality, legality and professionalism on one side, versus no job on the other. Unemployment, inability to pay the mortgage, damaged credit rating, children without college tuition’s, etc. How many good auditors can consistently afford to be martyrs, and when it happens, who shows up at their door to help them pay the mortgage? The fact that the majority of auditors are good, ethical, law abiding and take their oath’s of conduct and ethics seriously is a reflection of the social, religious and cultural values they share with the greater society, and less so on other types of controls promoted by various groups. As these cultural, religious and social values erode, resulting from poor education, dysfunctional families, media aggrandizement of thieves, the belief that the “bad guys” win and little understanding of civics, I suspect we will see more problems relating to poor auditor ethics and values. In general, auditors are still good because they perceive that the society provides more positive reinforcements for good behaviors than bad ones.

In addition to the money and power challenges I noted above, there are issues dealing with the “Culture of Auditing,” which most of us are familiar with. In my opinion, many of these favor the “Dumb Auditor.” Some of these also help explain why many Madoff type schemes go “Undetected.” Here are the top fifteen that come to mind. I am sure there are others:

Auditors are taught to find ways to give bad news in a positive manner. Avoid bad news as much as possible.

Auditors should avoid using the words “Failure,” “Problems,” or naming specific individuals who fail or pose problems. Instead they should call these things “Exceptions,” or “Positive findings Needing Improvement.”

Even when management has repeatedly ignored auditor recommendations and warnings, auditors are expected to be “flexible” and at best point out the issues as “still needing some levels of improvement.”

Auditors are bound by extreme discretion and confidentiality. They are to be like flies on the walls. Rarely seen and not too vocal on any subject or occasion.

Management has the last say in terms of what is possible by way of solutions to issues raised by audit. The “Business” is the key determinant in whether a risk gets addressed as recommended by audit.

Auditors work on behalf of management, and are not to be seen as impediments or obstacles to managements’ decision making. Aggressive auditors can inhibit management’s entrepreneurial spirit.

The auditor is there to protect the business from outside risks.

Management sets the “Risk Appetite” for the company. Auditors work within those parameters. Even when the parameters are not well defined (on purpose).

Auditors are supposed to uphold the utmost ethical standards, but often their superiors lie, cheat and have no scruples. Some times the code of Ethics, zero tolerance statements, and even the Audit Charter are disregarded at higher levels, while zealously enforced at the lower levels.

Auditors are supposed to remain positive and un-moved, even when those audited usually assassinate their character, create rumors and gossip about their professionalism, plant fake or doctored evidence against them, and call for their dismissal.

Auditors are supposed to maintain meticulous notes and documentation, while many of their superiors rarely answer email requests for clarifications, or document an opinion.

Auditors are supposed to advocate for and practice “meritocracy” being on a constant race to obtain and maintain professional certifications. While it is not unusual to see many of their superiors having reached positions of authority because they have either slept, drank, bought or strong armed their way up the ladder.

When the Chief Audit Officer is weak, unstable and/or indecisive, audit work is reactive and there is unusual turn over in Internal Audit. Expertise, maturity and professionalism has little time to take root. “Dumb Auditors” flourish in these environments.

In a recession and during cost cutting, some Audit departments let go of their “expensive” talent, keeping lower paid less experienced staff on hand until better times (and budgets) return. “Dumb Auditors” flourish in these environments also.

When the “C” level executives have been around for 10, 15 or 20 years and their “old boy” culture does not care about “irritants” such as “compliance,” or “industry best practices,” or “well designed controls,” and the head of compliance and legal counsel are never in the mood to “disturb” the old boys, smart auditors often become dumb by way of necessity.

As I prepared to finish this article, I discussed it with my friend, the other auditor at the Thanksgiving party, and he felt many of the issues tackled here are highly controversial and uncomfortable. He said I make many generalizations like what constitutes “Dumb” or “Smart.” He said that what I call here the “Dumb Auditor” may really be the “Smart” one. Every person faced with the sorts of challenges I mention has a huge reservoir of personal, professional and family reasons for taking one or another path, and those are known only to that person. Passing judgment as I appear to do in this article may be too insensitive and simplistic. The issues are just too complicated to put them in simple moral boxes.

I admit that my friend makes good points here, and I can only say that in this article my intent is to shed light on what is clearly a serious challenge with ramifications that go far above those of individuals. This is a serious systematic problem in the business world and many good minds in government and in professional organizations worldwide are working hard to find the right solutions. In an ideal world, the typical auditor should not have to spend sleepless nights wondering whether he/she should play “Dumb” or “Smart.”

I personally do not have a clear answer on how to solve these dilemmas for others. I only know what my ethical, moral and social values are and I have first hand experience on the high costs and frustrations of being a “Smart” auditor.

If you are a new auditor, I hope I’ve alerted you to issues that may come your way sooner or later. If you are an experienced auditor, I hope that by reading this you realize that you are not the only one who has seen these things.

To all readers. I will appreciate it very much if you left your comments on this subject, so we can make this a more diverse exchange. Do you believe that “Dumb Auditors” indeed have a longer professional longevity than “Smart” ones?

New Audit track for Business Continuity Professionals and IT Auditors. If you are an experienced Auditor or Business Continuity Planner, this is your opportunity to get certified as a Business Continuity Auditor by the leading BCP organization in the USA. DRI International will be offering training in Atlantic City, New Jersey this coming April. For more information on this course, see the notice from DRII below:

Two opportunities at the training you want!

The National Fire Protection Association (NFPA) and the Disaster Recovery Institute International (DRI) have joined forces to create an education and certification program that will qualify participants to audit disaster/emergency management and business continuity programs against existing standards and regulations. Certifications available are: Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA).

Through this program, participants will be able to apply the key components of disaster/emergency management and business continuity, the relevant standards, laws and regulations, the process of risk assessment, vulnerability analysis, loss prevention, risk mitigation, and develop, implement, test and maintain their plans and procedures.

The course will cover existing legal and regulatory requirements by industry and country, as well as emerging requirements, including BS25999, SS540, US PL 110-53 (PS-Prep), NFPA 1600, ASIS, DRI International’s professional practices, financial services, insurance, healthcare, utilities, public sector guidance and a host of others will be explored. It will also cover the processes by which disaster/emergency management and business continuity programs are initiated with an eye toward corporate governance, policy, and procedures. More in depth emergency and disaster management will be provided by NFPA.

At the end of the course, a unique. audit track, qualifying examination is conducted and individuals who have passed will be eligible to apply for certification as a Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA). The certification level (CBCA or CBCLA) will be granted based upon the amount of demonstrated audit experience of the applicant. Those seeking the CBCLA designation will be required to provide references to verify that they have at least five years of active audit experience.

I recently read a good article regarding IT Security Audits which I thought many readers would be interested in. Cheating on IT Audits by IT staffs is not unheard of to most of us in the auditing business. However, it is a taboo subject that rarely gets any media attention and few ever discuss in public. When ever we Auditors perform an audit, all the information provided to us is accurate, never doctored, performed within the time frame or scope of the audit and properly authorized by management (if you believe this you may be on drugs). Cheating on audits, on purpose or out of ignorance is common, and this is one of the reasons we have to verify the authenticity and relevancy of the samples and evidence provided to us before we can accept them.

The article points out that 20% of the 151 IT Security professionals recently polled at a major InfoSecurity conference admitted to cheating on IT Security Audits of firewalls. Although, this sounds like a high figure and I have never investigated this in any formal way, I will venture to say that in the “field” the number is probably higher than 20%. Here is an excerpt from the eWeek Security Watch article, which you can read in its entirety by clicking the link at the bottom of the post:

“An audit isn’t worth much if the people doing it are cutting corners. Unfortunately, a survey by the folks at Tufin Technologies suggests many IT pros may be doing exactly that.

The survey, which was conducted at the InfoSecurity Europe 2009 Conference in April, took opinions from 151 IT security pros. The aim was to determine companies’ approach to firewall auditing and management.

What Tufin turned up was that 20 percent of the respondents admitted they or a colleague had cheated on an audit to get it passed. The company did not ask specifically how they cheated, citing time constraints. But if applied generally, it could be there are many networks operating a false sense of their own security posture.

Going deeper, 9 percent of the respondents admitted that they never bother to check and audit their firewalls at all….”